Microsoft Defender for Endpoint auditing capabilities


Important correction [must read]

At the time of creating the video looked over the fact that cloudappevents are available in the portal and that you can sync those using the Microsoft XDR connector.
This means that what I say at 12:39 is not true and there is a way to get these logs into Sentinel easily.

Using advanced hunting in portal we can query the CloudAppEvents. Those are the simular logs i showed in chapter 09:05 Accessing the audit logs – audit logs in MDCA activity logs

| extend data = parse_json(RawEventData)
| where data.Workload == "MicrosoftDefenderForEndpoint"

Getting these logs into sentinel

You can get the logs into Sentinel using the Microsoft XDR connector where you can choose to sync the CloudAppEvents. Be aware that these logs will cost allot as these is a log that generates large amount of data.

One thought on “Microsoft Defender for Endpoint auditing capabilities

Leave a Reply

Your email address will not be published. Required fields are marked *